Privacy Policy

Effective Date: March 8, 2026

Your use of the Wildwood API Platform is subject to this Privacy Policy, which governs our collection, use, processing, and disclosure of personal data.

Table of Contents

  1. Information We Collect
  2. How We Use Your Information
  3. Data Isolation & Multi-Tenancy
  4. Data Sharing & Disclosure
  5. Data Storage & Sensitive Data Handling
  6. Data Security
  7. Data Breach & Security Incident Notification
  8. Data Retention
  9. Your Rights
  10. GDPR Compliance
  11. CCPA / CPRA Compliance
  12. HIPAA
  13. Cookies & Tracking
  14. Children's Privacy
  15. International Data Transfers
  16. Changes to This Policy
  17. Contact Us

1. Information We Collect

1.1 Account Information

When you create an account, we collect your name, email address, and password (stored in hashed form). If you register through a third-party authentication provider (Google, Apple, Microsoft, etc.), we receive your name and email from that provider.

1.2 Company and Application Data

As a multi-tenant platform, we collect company names, application configurations, and related organizational data you provide when setting up your workspace.

1.3 Usage Data

We automatically collect information about how you interact with the Platform, including API call logs, page views, feature usage, session data, and telemetry. This helps us improve our services and diagnose issues.

1.4 AI Interaction Data

If you use Wildwood's AI features, we may process conversation data, prompts, and model configurations. AI interactions are scoped to your application and are not shared across tenants.

1.5 Payment Information

Payment processing is handled by third-party providers (e.g., Stripe). We do not store full credit card numbers. We retain transaction identifiers and subscription status for billing purposes.

1.6 Device and Technical Information

We collect IP addresses, browser type, operating system, device identifiers, and similar technical information to ensure security and optimize performance.

1.7 Data Stored via the Platform

The Platform may store data generated by or submitted through connected applications, including but not limited to:

  • Personally Identifiable Information ("PII")
  • Financial and payment-related records
  • Authentication credentials and access tokens
  • Business-confidential and proprietary data
  • Application logs, telemetry, and metadata

2. How We Use Your Information

We use the information we collect to:

  • Provide, operate, and maintain the Wildwood API Platform
  • Authenticate users and enforce multi-tenant data isolation
  • Process transactions and manage subscriptions
  • Send administrative communications (security alerts, service updates)
  • Monitor and analyze usage trends to improve our services
  • Detect, prevent, and address security incidents and fraud
  • Conduct audit logging for security monitoring and forensic purposes
  • Comply with legal obligations

3. Data Isolation & Multi-Tenancy

The Wildwood API Platform is built on a multi-tenant architecture where all data is strictly isolated by company and application. Your data is never accessible to other tenants. We enforce tenant boundaries at the database, API, and application layers.

You may only access data within your own company and application scope. Any attempt to access another tenant's data constitutes a material breach of our Terms and Conditions.

4. Data Sharing & Disclosure

We do not sell your personal information. We may share data with:

  • Service providers — Third-party services that help us operate the Platform (hosting, payment processing, email delivery)
  • AI providers — When you use AI features, prompts are sent to configured AI providers (e.g., OpenAI, Anthropic) as necessary to deliver the service. You configure which AI providers are used within your application settings.
  • Third-party applications — If you configure the Platform to pass data to third-party applications, such data transmission may fall outside Wildwood Works' direct control. We are not responsible for how third-party applications collect, process, store, or transmit data received through the Platform.
  • Legal compliance — When required by law, court order, or to protect our rights
  • Business transfers — In connection with a merger, acquisition, or sale of assets

5. Data Storage & Sensitive Data Handling

5.1 User Obligation to Classify Data

You are solely responsible for classifying the sensitivity of data you transmit to or store within the Platform. Before storing regulated data categories (including PHI, cardholder data, or data subject to GDPR/CCPA), you must:

  • Notify Wildwood Works in writing of the data categories being stored
  • Ensure that your use of the Platform is compliant with all applicable laws and regulations governing that data
  • Execute any required supplemental agreements, including a Business Associate Agreement ("BAA") for HIPAA-regulated data or a Data Processing Agreement ("DPA") for GDPR-regulated data

5.2 No Warranty of Suitability for Regulated Data

Wildwood Works makes no representation that the Platform is certified or approved for use with all categories of regulated data. The Platform is not certified as HIPAA-compliant, PCI DSS Level 1-compliant, or FedRAMP-authorized unless explicitly stated in a separate written certification provided by Wildwood Works. Users who require such certifications must obtain written confirmation before storing regulated data.

6. Data Security

Wildwood Works implements commercially reasonable technical and organizational security measures designed to protect Platform data, including:

  • Encryption in Transit: All data transmitted between users and the Platform is encrypted using TLS 1.2 or higher
  • Encryption at Rest: Sensitive data is encrypted using ASP.NET Core Data Protection with database-backed key storage
  • Access Controls: Role-based access control (RBAC) and tenant-scoped isolation applied at the database and API layers
  • API Key Management: API credentials are encrypted and never stored in plaintext
  • JWT Authentication: Token-based authentication with automatic rotation and sliding expiration
  • Audit Logging: Access and activity logs are maintained for security monitoring and forensic purposes
  • Vulnerability Management: Regular security assessments are conducted

These measures are subject to change as technology and threats evolve. The existence of security measures does not constitute a guarantee against all possible threats or unauthorized access.

7. Data Breach & Security Incident Notification

7.1 Risk Acknowledgment

No security system is impenetrable. Despite commercially reasonable security measures, Wildwood Works cannot guarantee that unauthorized third parties will never be able to defeat our security controls or access data stored within the Platform. You acknowledge and accept this inherent risk as a condition of using the Platform.

7.2 Breach Notification

In the event Wildwood Works becomes aware of a confirmed security breach affecting user data, we will:

  • Notify affected users without undue delay and, where required by applicable law, within 72 hours of discovery
  • Provide a description of the nature of the breach, categories of data affected, and remediation steps being taken
  • Cooperate reasonably with your breach response and regulatory notification obligations

Notification will be provided to the primary email address on file for your account. It is your responsibility to maintain accurate and current contact information.

7.3 User-Caused Incidents

Wildwood Works is not responsible for security incidents caused by or attributed to:

  • Compromise of your API credentials, passwords, or access tokens
  • Misconfigured permissions or access controls set by you
  • Insecure third-party applications connected by you
  • Phishing, social engineering, or unauthorized access via your own systems

8. Data Retention

8.1 Active Accounts

We retain your account data for as long as your account is active. Usage logs and analytics data are retained for up to 12 months.

8.2 Data Retention Upon Termination

Upon expiration or termination of your account or subscription, Wildwood Works may permanently delete your data within 30–90 days following the termination date. It is your responsibility to export or retrieve all data prior to account termination. Wildwood Works is under no obligation to retain or restore data after the applicable deletion window.

8.3 Deletion Requests

You may request deletion of your account and associated data at any time by contacting us.

9. Your Rights

Depending on your jurisdiction, you may have the right to:

  • Access the personal data we hold about you
  • Request correction of inaccurate data
  • Request deletion of your data
  • Object to or restrict processing of your data
  • Data portability
  • Withdraw consent where processing is based on consent

To exercise these rights, contact us at privacy@wildwoodworks.io.

10. GDPR Compliance

If you are located in the European Economic Area ("EEA") or the United Kingdom, or if you store or process the personal data of EEA or UK residents, the following applies:

  • Wildwood Works acts as a data processor with respect to personal data you store in the Platform, and you act as the data controller
  • A Data Processing Agreement ("DPA"), compliant with Article 28 of the GDPR, is available upon request and must be executed before processing personal data of EEA residents
  • You are responsible for ensuring you have a lawful basis for processing personal data and for honouring data subject rights requests
  • Cross-border transfers of personal data outside the EEA are governed by appropriate transfer mechanisms, including Standard Contractual Clauses ("SCCs")

11. CCPA / CPRA Compliance

If you are a business subject to the California Consumer Privacy Act ("CCPA") or California Privacy Rights Act ("CPRA"), Wildwood Works acts as a service provider as defined under the CCPA with respect to personal information you store in the Platform. Wildwood Works does not sell or share personal information received from you for cross-context behavioural advertising purposes.

12. HIPAA

If you intend to store or process Protected Health Information ("PHI") on the Platform, you must execute a Business Associate Agreement ("BAA") with Wildwood Works prior to doing so. Storing PHI without an executed BAA is a material breach of the Terms and Conditions and is strictly prohibited.

13. Cookies & Tracking

We use cookies for authentication session management and platform preferences. We do not use third-party advertising cookies. Essential cookies are required for the Platform to function.

14. Children's Privacy

The Wildwood API Platform is not directed at children under 16. We do not knowingly collect personal information from children. If you believe a child has provided us with personal data, please contact us.

15. International Data Transfers

Your data may be processed in countries other than your own. We ensure appropriate safeguards are in place for international transfers in compliance with applicable data protection laws, including Standard Contractual Clauses where required.

16. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on this page and updating the effective date. Where required by law, we will provide at least 30 days' notice before material changes take effect. Your continued use of the Platform after changes constitutes acceptance of the updated policy.

17. Contact Us

If you have questions about this Privacy Policy or wish to exercise your data protection rights, please contact us at: